BugTraq
Back to list
|
Post reply
Netscape 7.02 Client Detection Tool plug-in buffer overrun
Jul 14 2003 02:48PM
martin rakhmanoff (jimmers yandex ru)
Advisory name
=============
Netscape 7.02 Client Detection Tool plug-in buffer overrun
Affected software
=================
Netscape 7.02 for Windows
Problem description
===================
Netscape 7.02 (and probably earlier versions) contains Client Detection
Tool plug-in that handles application/x-cdt Mime type. One of this plug-in
routines suffers from buffer overrun. To exploit this issue one needs to
send mail message to victim with attachment that has specifically crafted
filename and entice the victim to double-click it. When the victim double
clicks the attachment then attacker's code is executed in context of
victim's user account. Proof-of-concept exploit is published in whitepaper
"CDT plug-in bug: exploit in ASCII":
http://jimmers.russia.webmatrixhosting.net/whitepapers/CDTbug.pdf
Mitigating factors
==================
Attacker must know OS and length of victim username to exploit this issue.
Also proof-of-concept exploit assumes that user runs Windows with default
settings.
Resolution
==========
Manually remove CDT plug-in (npcdt.dll) from Netscape /components folder
or upgrade to latest version of the browser that has CDT plug-in removed.
Vendor status
=============
Netscape was notified. Netscape considers this bug as "internal" so no
patch will be released.
Copyright (c) 2003 Martin Rakhmanov.
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Advisory name
=============
Netscape 7.02 Client Detection Tool plug-in buffer overrun
Affected software
=================
Netscape 7.02 for Windows
Problem description
===================
Netscape 7.02 (and probably earlier versions) contains Client Detection
Tool plug-in that handles application/x-cdt Mime type. One of this plug-in
routines suffers from buffer overrun. To exploit this issue one needs to
send mail message to victim with attachment that has specifically crafted
filename and entice the victim to double-click it. When the victim double
clicks the attachment then attacker's code is executed in context of
victim's user account. Proof-of-concept exploit is published in whitepaper
"CDT plug-in bug: exploit in ASCII":
http://jimmers.russia.webmatrixhosting.net/whitepapers/CDTbug.pdf
Mitigating factors
==================
Attacker must know OS and length of victim username to exploit this issue.
Also proof-of-concept exploit assumes that user runs Windows with default
settings.
Resolution
==========
Manually remove CDT plug-in (npcdt.dll) from Netscape /components folder
or upgrade to latest version of the browser that has CDT plug-in removed.
Vendor status
=============
Netscape was notified. Netscape considers this bug as "internal" so no
patch will be released.
Copyright (c) 2003 Martin Rakhmanov.
[ reply ]